TCPDump is a network packet analyser, it is available for download from tcpdump.org, it is also available in the software archive.
Below are instruction detailing
How to install TCPDump under Linux Mandrake
Further information on using TCPDump can be obtained from the man page.
TCPDump requires libpcap to be installed, building libpcap may require bison and flex, these packages are available in the software archive.
To build libpcap, untar the source package, enter the directory and execute the following commands
./configure (errors at this stage may indicate if flex/bison are not in your path)
make
make install
Flex and bison are both built in exactly the same way. You must then ensure that they are in your path before builidng libpcap.
To build tcpdump, untar the source package, enter the directory and execute the following commands
./configure
make
make install
Following the steps above should leave you with a tcpdump binary in /usr/local/sbin, you will need to have root permissions to use it to caputre from a network interface.
How to install TCPDump under Linux Mandrake
The recommended way is to install the libpcap and tcpdump RPMS, building a working TCPDump binary from source under Mandrake is difficult! The RPMS are available throught the Mandrake "software centre" or from the software archive.
To confiure the software centre to download RPMS from an ftp site the folow steps need to be completed.
Open the software centre Configuration > Packaging > Software Centre
Select Define Sources
Select FTP source from pull down menu
Enter the name of the source (ie Mirror.ac.uk)
Enter the URL of the source (ie ftp://ftp.mirror.ac.uk/sites/sunsite.uio.no/pub/unix/Linux/Mandrake/Mandrake/8.2/i586/Mandrake/RPMS)
Enter the path to the hdlist.cz file (ie ../base/hdlist.cz)
Enter your ftp username and password or leave blank for anonymous ftp.
You can search or browse the package list for the desired packages. The software manager will automatically download and install the packages you select.
To install the RPMS simply execute the following commands, rmp -i <filename>
TCPDump has a wide range of features and can be used in a number of ways. This section gives a brief introduction to the basic features of TCPDump.
TCPDump can be used to capture some or all packets received by a network interface. The range of packets captured can be specified by the using a combination of logical operators and parameters such as source and destination Mac or IP addresses, protocol types (IP and ethernet) and TCP/UDP port numbers. The range of options is rather large!! See the man pages with you version of TCPDump to see what it supports.
The packets captured can either be written to file as raw data for later processing by tcpdump, or directed to standard output where they can be displayed or processed using other tools and scripts. Data written to file can be examined using TCPDump and the data directed to standard output.
It is quite common to use TCPDump to write to file a range of packets to file and then read the packets required from this file, this allows the dataset to be examined repeatedly while an expression is refined to extract exactly the packets required. It's quite frustrating when you realise that you've only captures 98% of what you wanted, it's fat better to capture 120% and then filter!
TCPDump output has the following output format.
For UDP datagrams
15:22:41.400299 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 110
Timestamp 15:22:41.400299
Source address orac.erg.abdn.ac.uk
Source port 1052
Destination address 224.2.156.220
Destination port 57392
Protocol udp
Size 110
For TCP datagrams
16:23:01.079553 churchward.erg.abdn.ac.uk.33635 > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack 19829 win 24820 (DF)
Timestamp 16:23:01.079553
Source address churchward.erg.abdn.ac.uk
Source port 33635
Destination address gordon.erg.abdn.ac.uk
Destination port 32772
Indicates that the PUSH flag is set P
Sequence number (also start byte) 12765:
Contained data bytes from sqeuence number upto but not including 12925
Number of user data bytes in datagram (160)
Details of acknowledgements, Window size and Header flags ack 19829 win 24820 (DF)
As the focus of this project is IP Multicast the in depth analysis of TCP headers using TCPDump is not discussed, however this is a well researched area, google is a good starting point.
Time Stamps
TCPDump adds timestamps to packets by default, the timestamp is in the following format - hours : minutes : seconds . seconds
15:22:41.400299 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 110
the following switches alter the timestamp format.
-t suppresses the timestamp output
orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 597
-tt gives an unfomatted time stamp, this value is a count in seconds from the OS clock initial value
1029507868.335134 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 520
-tttt gives the interval between the packet recieved and the previous packet
358020 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 586
328704 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 893
391361 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 491
Source and Destination addresses and Ports
To capture packets to or from particuar groups or hosts a range of expression can be used, here are some example.
To capture all traffic with host churchward as source or destination address
tcpdump host churchward
To capture all traffic with the tcp or udp, source or destination port number 53
tcpdump port 53
To capture all traffic with the source address churchward
tcpdump src host churchward
To capture all trafffic with the destination tcp or udp port 53
tcpdump dst port 53
To capture all TCP traffic with the source address churchward
tcpdump tcp src host churchward
To capture all trafffic with the destination udp port 53
tcpdump udp dst port 53
There are a huge range of options available, the examples above are intened to give an introduction to teh structure and syntax, see the man page for your release for full details of the supported options.
Logical Operators
Expressions can be combined using AND and OR with the additional use of NOT.
To capture all traffic with the source address churchward AND with the destination udp port 53
tcpdump src host churchward and udp dst port 53
To capture all traffic with the destination address 224.2.127.254 OR with the destination address 239.255.255.255
tcpdump dst 224.2.127.254 or dst 239.255.255.255
To capture all traffic with the destination address 224.2.127.254 NOT with the source address 139.133.204.110
tcpdump dst 224.2.127.254 and not src 139.133.204.110
Writing to and Reading from file
To write ram packets to a file for later processing the syntax is as follows
tcpdump -w <filename>
This can be combined with an expression to only write some packets to the file.
tcpdump -w dns-file udp dst port 53
This would write all packets to or from tcp or udp port 53 to file.
To read packets from a dump file
tcpdump -r <filename>
This can be combined with an expression to only read some packets from the file.
tcpdump -r dns-file src host churchward and udp
This would read any udp packets sent by host churchward from the file.
How to use TCPDump to monitor IGMP messages
TCPDump can be used to capture all IGMP packets seen by the network interface card using the following syntax
tcpdump ip proto 2 (capture all packets with IP Protocol type 2)
This can be combined with the systax above to adjust time stamps, monitor specific hosts or groups and to write raw packets to file.
To monitor IGMP membership queries and responces sent to the group 224.2.127.254
tcpdump ip proto 2 and dst 224.2.127.254
17:03:27.080329 churchward.erg.abdn.ac.uk > SAP.MCAST.NET: igmp v2 report SAP.MCAST.NET [ttl 1]
How to use TCPDump to monitor RTP and RTCP traffic
TCPDump contains options to decipher RTP traffic, this presents the output in a manner that is easily manipulated using tools such as awk or perl scripts.
RTP and RTCP packets each contain a number of importnat fields, this section details these fields and illustrates how to use TCPDump to capture them.
RTP data should always be transmitted on an even numbered TCP/UDP port, RTCP data relating to the data stream is always transmitted on "data port number" +1.
To capture RTP headers the following syntax is required.
tcpdump -T rtp -vvv src
RTP headers contains these "interesting" fields.
Timestamp 18:00:56.156473
Source Address orac.erg.abdn.ac.uk
Source Port 1052
Destination Address 224.2.156.220
Destination Port 57392
Protocol udp/rtp
RTP Payload size (B) 741
RTP Media type c31
RTP Header "Marker' field ("*"=y " "=n) *
RTP Sequence number 50140
RTP Timestamp 2686364689
Synchronization Source (SSRC) Identifier 489542890
Field displayed for H.261 video only, 1st 16bits of the 32bit H.261 payload header. 0x1200
TTL ttl 127
IP Header identifier id 22854
Lengeh of the IP Datagram (B) len 781
You also need to specify carefully which packets you wish to capture, in the example below we capture based on source address and destination port.
tcpdump -T rtp -vvv src orac and dst port 57392
18:00:56.156473 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 741 c31 * 50140 2686364689 489542890 0x1200 (ttl 127, id 22854, len 781)
18:00:56.473889 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 321 c31 * 50141 2686393485 489542890 0x0e00 (ttl 127, id 22855, len 361)
18:00:56.915274 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 585 c31 * 50142 2686433084 489542890 0x0600 (ttl 127, id 22856, len 625)
18:00:57.236431 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 707 c31 * 50143 2686461872 489542890 0x1600 (ttl 127, id 22857, len 747)
18:00:57.432472 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 457 c31 * 50144 2686479874 489542890 0x1e00 (ttl 127, id 22858, len 497)
18:00:57.754166 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 570 c31 * 50145 2686508679 489542890 0x1e00 (ttl 127, id 22859, len 610)
18:00:58.157492 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 689 c31 * 50146 2686544679 489542890 0x1600 (ttl 127, id 22860, len 729)
18:00:58.510588 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 569 c31 * 50147 2686577061 489542890 0x0e00 (ttl 127, id 22861, len 609)
18:00:58.676815 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 594 c31 * 50148 2686591457 489542890 0x1e00 (ttl 127, id 22862, len 634)
18:00:58.999954 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 539 c31 * 50149 2686620273 489542890 0x0600 (ttl 127, id 22864, len 579)
18:00:59.368993 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 1024 c31 * 50150 2686652683 489542890 0x0a00 (ttl 127, id 22865, len 1064)
18:00:59.768796 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 988 c31 50151 2686688705 489542890 0x1e00 (ttl 127, id 22866, len 1028)
18:00:59.829548 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 178 c31 * 50152 2686688705 489542890 0x3e87 (ttl 127, id 22867, len 218)
18:01:00.092032 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 1006 c31 * 50153 2686717509 489542890 0x1200 (ttl 127, id 22868, len 1046)
18:01:00.491389 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 1008 c31 * 50154 2686753461 489542890 0x1600 (ttl 127, id 22869, len 1048)
This can be combined with the options above to alter time stamp format and to write raw packets to file.
There are five types or RTCP packets, the five types are
SR: Sender report, for transmission and reception statistics from participants that are active senders
RR: Receiver report, for reception statistics from participants that are not active senders
SDES: Source description items, including CNAME
BYE: Indicates end of participation
APP: Application specific functions
Two of these are more common and interesting, sender and reciever reports. Details of the format of these messages is given below.
Due to the size of sender reports it is necessary to delve further into the packet so the -s option is used to specify the number of bytes to be captured, in this case 128B.
tcpdump -s 128 -vvv -T rtcp src <sender IP> and dst port <RTCP Port>
Timestamp 11:58:52.027102
Source Address orac.erg.abdn.ac.uk
Source Port 1053
Destination Address 224.2.156.220
Destination Address 57393
Type of RTCP Packet sr
Synchronization Source (SSRC) Identifier of sender 489542890
NTP Timestamp reference @3238744444.18
Media timestamp reference 2584794646
Number of packets sent 12583800p
Number of Bytes sent 2794620371b
Synchronization Source (SSRC) Identifier of source 489542890
Cumulative number of packets lost 1l
extended last seq number received 12646339s
Jitter 0j
orig. ts from last rr from this src @0.00
time from recpt of last rr to xmit time +0.00
No of Bytes of Source Description (sdes) data in the report sdes 60
Synchronization Source (SSRC) Identifier of Sender 489542890
TTL ttl 127
IP Header identifier id 22421
Length of the IP Datagram (B) len 140
You need to specify carefully which packets you wish to capture, in the example below we capture based on source address and destination port.
Here is a sample of RTCP sender reports from the ERG Rooftop Camera source.
tcpdump -s 128 -vvv -T rtcp src orac and port 57393
11:58:52.027102 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744444.18 2584794646 12583800p 2794620371b 489542890
1l 12646339s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19051, len 140)
11:58:55.772400 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744447.93 2585131669 12583837p 2794653187b 489542890
1l 12646376s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19089, len 140)
11:59:00.478495 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744452.64 2585555168 12583874p 2794686955b 489542890
1l 12646413s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19127, len 140)
11:59:07.916442 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744460.07 2586224502 12583901p 2794700449b 489542890
1l 12646440s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19155, len 140)
11:59:13.840491 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744466.00 2586757598 12583931p 2794716009b 489542890
1l 12646470s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19186, len 140)
To capture reciever reports the following syntax is required.
tcpdump -s 96 -vvv -T rtcp <reciever IP> and dst port <RTCP Port>
The structure of an RTCP reciever report is given below.
Timestamp 17:56:49.960317
Source Address churchward.erg.abdn.ac.uk
Source Port 32895
Destination Address 224.2.156.220
Destination Port 57393
Type of RTCP Packet rr
Synchronization Source (SSRC) Identifier of Sender 1030014788
Synchronization Source (SSRC) Identifier of Source 489542890
Cumulative number of packets lost 254l
extended last seq number received 639135s
Jitter 0j
orig. ts from last rr from this src @45275.34
time from recpt of last rr to xmit time +1.92
No of Bytes of Source Description (sdes) data in the report sdes 72
Synchronization Source (SSRC) Identifier of Sender 1030014788
TTL ttl 127
IP Header identifier id 16048
Length of the IP Datagram (B) len 132
You need to specify carefully which packets you wish to capture, in the example below we capture based on source address and destination port.
Here is a sample of RTCP reciever reports from a machine viewing the ERG Rooftop camera source.
tcpdump -s 96 -vvv -T rtcp src churchward and port 57393
17:56:49.960317 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 254l 639135s 0j @45275.34+1.92
sdes 72 1030014788 (ttl 127, id 16048, len 132)
17:56:57.260313 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 254l 639156s 0j @45282.35+2.20
sdes 56 1030014788 (ttl 127, id 16049, len 116)
17:57:00.130274 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 265l 639168s 0j @45287.25+0.17
sdes 60 1030014788 (ttl 127, id 16050, len 120)
17:57:04.800336 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 265l 639185s 0j @45287.25+4.84
sdes 56 1030014788 (ttl 127, id 16051, len 116)
This page is maintained by Alastair Matthews <alastair@erg.abdn.ac.uk>. It was last updated on 14/8/02.